Complete reference for all environment variables used in Charon. Configure these
in .env file at the repository root.
Required: Yes Sensitive: Yes Description: Cloudflare API token with DNS edit permissions for automated DNS management and cert-manager DNS-01 challenge.
How to Get:
- Go to Cloudflare API Tokens
- Create Token → Edit zone DNS template
- Permissions:
Zone:DNS:Edit,Zone:Zone:Read - Zone Resources: Include → Specific zone → your-domain.com
- Create Token and copy the value
Used By:
- Terraform (via
TF_VAR_cloudflare_api_token) - cert-manager for DNS-01 challenges
- DNS management scripts
Example:
CLOUDFLARE_API_TOKEN="your-cloudflare-api-token-here"Required: If freeipa_enabled = true Sensitive: Yes Description:
Admin password for FreeIPA server. Used for initial setup and user management.
Requirements:
- Minimum 8 characters
- Mix of uppercase, lowercase, numbers
- No special characters that conflict with shell
Used By:
- FreeIPA initialization scripts
- User creation scripts
- Configuration scripts
Example:
FREEIPA_ADMIN_PASSWORD="YourSecurePassword123"Required: If freeipa_enabled = true Sensitive: No (but specific to
deployment) Description: FreeIPA domain name. Typically matches your
internal domain structure.
Format: Lowercase, dot-separated domain
Example:
FREEIPA_DOMAIN="dev.svc.cluster.local"Required: If freeipa_enabled = true Sensitive: No (but specific to
deployment) Description: Kerberos realm for FreeIPA. Typically uppercase
version of domain.
Format: Uppercase, dot-separated realm
Example:
FREEIPA_REALM="DEV.SVC.CLUSTER.LOCAL"Required: If redmine_enabled = true Sensitive: Yes Description:
PostgreSQL database host for Redmine (external database).
Format: Hostname or IP address
Example:
REDMINE_DB_HOST="postgres.external.com"Required: If redmine_enabled = true Sensitive: No Description:
PostgreSQL database port.
Default: 22110 (custom port in Charon config) Standard: 5432
Example:
REDMINE_DB_PORT="22110"Required: If redmine_enabled = true Sensitive: No Description:
PostgreSQL database name for Redmine.
Default: redmine
Example:
REDMINE_DB_NAME="redmine"Required: If redmine_enabled = true Sensitive: Yes Description:
PostgreSQL database username for Redmine.
Example:
REDMINE_DB_USER="redmine_user"Required: If redmine_enabled = true Sensitive: Yes Description:
PostgreSQL database password for Redmine.
Example:
REDMINE_DB_PASSWORD="your-secure-db-password"Required: If vllm_enabled = true and using private models Sensitive:
Yes Description: Hugging Face API token for accessing private models via
vLLM.
How to Get:
- Go to Hugging Face Settings
- Create New Token
- Select "Read" permissions
- Copy the token
Used By:
- vLLM deployments for model downloads
- Private model access
Example:
HUGGINGFACE_TOKEN="hf_your_token_here"Required: If rwx_storage_enabled = true Sensitive: Yes
Description: Linode API token for managing Block Storage volumes (RWX
storage setup).
How to Get:
- Go to Linode API Tokens
- Create Personal Access Token
- Select permissions: "Volumes: Read/Write"
- Copy the token
Used By:
- RWX storage provisioning with Samba CIFS
- Linode Block Storage volume management
Example:
LINODE_TOKEN="your-linode-api-token"Create .env in the repository root:
# Cloudflare
CLOUDFLARE_API_TOKEN="your-cloudflare-api-token"
# FreeIPA (if enabled)
FREEIPA_ADMIN_PASSWORD="YourSecurePassword123"
FREEIPA_DOMAIN="dev.svc.cluster.local"
FREEIPA_REALM="DEV.SVC.CLUSTER.LOCAL"
# Redmine Database (if using Redmine)
REDMINE_DB_HOST="postgres.external.com"
REDMINE_DB_PORT="22110"
REDMINE_DB_NAME="redmine"
REDMINE_DB_USER="redmine_user"
REDMINE_DB_PASSWORD="your-secure-db-password"
# Hugging Face (if using vLLM with private models)
HUGGINGFACE_TOKEN="hf_your_token_here"
# Linode (if using RWX storage)
LINODE_TOKEN="your-linode-api-token"Export variables to Terraform:
# Load from .env
source .env
# Export for Terraform
export TF_VAR_cloudflare_api_token="$CLOUDFLARE_API_TOKEN"Scripts automatically load from .env using Python dotenv:
# Scripts will automatically find and load .env
python scripts/dns/update_service_dns.py --zone-id $CLOUDFLARE_ZONE_ID-
Never commit .env to git
- Already in
.gitignore - Verify with
git status
- Already in
-
Use strong passwords
- Minimum 16 characters for production
- Mix of uppercase, lowercase, numbers, symbols
-
Rotate tokens regularly
- Change API tokens every 90 days
- Update passwords quarterly
-
Limit token permissions
- Only grant minimum required permissions
- Use separate tokens for different purposes
-
Store backups securely
- Use password manager for credentials
- Encrypt backup copies of
.env
# Verify .env exists
ls -la .env
# Check file contents (be careful with sensitive data)
cat .env
# Ensure proper format (no spaces around =)
# Good: CLOUDFLARE_API_TOKEN="value"
# Bad: CLOUDFLARE_API_TOKEN = "value"# Verify export
echo $TF_VAR_cloudflare_api_token
# If empty, source .env again
source .env
export TF_VAR_cloudflare_api_token="$CLOUDFLARE_API_TOKEN"# Check if .env is in repo root
cd /path/to/charon
ls .env
# Verify token format
# Cloudflare: Long alphanumeric string
# Linode: Starts with alphanumeric charactersNavigation: Documentation Index | Home